MauriGo.
MauriGo is a ransomware that runs on Microsoft Windows. It is aimed at English-speaking users. Payload Transmission MauriGo is distributed through It can be spread by hacking through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. Infection MauriGo encrypts files with AES encryption, which may include files with the following file extensions: .3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, doc, .epub, .docx, .fb2, .flv, .gif, .gz, .iso .ibooks, .jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2. MauriGo will mark the files encrypted by their attacks by changing the files' extensions, in some cases adding the file extension '.encrypted' to the existing file names. MauriGo delivers its ransom note in the form of a text file dropped on the victim's computer. MauriGo displays a ransom note containing the following text: The important files on your computer have been encrypted with military grade AES-256 bit encryption. Your documents, videos, images and other forms of data are now inaccessible, and cannot be unlocked without the decryption key. This key is currently being stored on a remote server. To acquire this key, please follow the instructions below before the time runs out. (DATE - you have 7 days) Prices to recover yoor files from : 1 machine on your network : 0.7 BTC Half machines on your network (randomly chosen): 2.6 BTC All machines on your network : 5 BTC The BTC must be sent to this address : 19CMTC6U9KMHAn34iKXvofkA2ulNMcd823 Your hostname : DEVICE NAME Your identification number (it is the same for all PC encrypted on your network): *** After you've send payment to our address, please go to our website (via normal browser): xxxx://ldqu4hxg2gx6af7j.onion.plus/id/*** xxxx://ldqu4hxg2gx6af7j.onion.link/id/*** xxxx://ldqu4hxg2gx6af7j.tor2web.ch/id/*** If it doesn't work please download Tor Browser on their official page and use this link instead: xxxx://ldqu4hxg2gx6af7j.onion/id/*** Once on the website, leave a simple comment to warn us. After that we will reply with your decryption key(s) as soon as possible. To demonstrate our sincerity, you can upload 2 encrypted file on the website and we will decrypt it. Also please understand that we don't want to taint the reliability of your business. Make a reasonable choice. Note that if you fail to take action within this time window (7 days), the decryption key will be destroyed and access to your files will be permanently lost. Where to buy bitcoins (BTC) ? Bitcoin is a popular crypto-currency. We advise you to buy coins on https://localbitcoins.com/ because of its speed and anonymity. You will can pay with Western Union. Wire Transfer... Of course there are much other ways to get bitcoins (ex: Coinbase), simply type on google "how to buy bitcoins". A cryptocurrency miner is also installed on the system, which executes the command: wininiv.exe -o xmr.crypto-pool.fr:80 -u 48fVrHZuvLY8vFP19bVtqhD9yY3TL8HRqW8JM6MbtvvnTJ2icAQJogHCByJP6yPEKdewUKrKGS1ThJamQm6m 5idLCiEkPVv -px -k -B --donate-level = 1 -t 2 Category:Ransomware Category:Win32 ransomware Category:Win32 trojan Category:Win32 Category:Microsoft Windows Category:Trojan